Phishing is the term used for all types of scams that bypass cyber defences by tricking people into handing over information. Bad actors use it to steal money, install ransomware or steal private data. Often they are looking for passwords.

Forms of phishing have been around for almost 30 years, and have grown more and more advanced over that time. CERT NZ, the government’s Computer Emergency Response Team, lists ‘phishing’ as New Zealand’s most common type of cyber-attack.

Phishing works by impersonating messages from someone you trust. That could be a company, an organisation or a person. Banks and firms like PayPal are favourites, so are government agencies.

Messages range from convincing-looking email resembling the real thing to half-baked attempts with obvious mistakes. The best ones use an organisation’s logos or designs and mirror its language.

Phishing trends 
A recent trend in phishing is to start communication with an email or text message then move to a voice call. Last year a campaign told targets they had automatically renewed an antivirus subscription and needed to call a number to cancel.

Spear phishing
Spear phishing is a more sophisticated version of the scam that targets individuals. Everyday phishing campaigns contact people in bulk. Even if only a tiny fraction takes the bait, the phishers get a pay-day. Spear phishing instead focuses energy on a single person. Scammers will research their target through company websites and social media sites like linkedin, and use that information to appear more plausible. They may send messages that look as if they come from someone in your organisation or an outside organisation you have a relationship with.

First line of defence
The messages usually arrive by email or text although they can turn up through social media and other communications. N4L offers an Email Protection service that is an effective first line of defence against phishing emails.

Email Protection blocks emails when its security filters detect a risk. It acts to prevent phishing attacks, business email compromise and ransomware from ever making it to a school’s inbox. Email Protection comes with expert support from N4L’s security team.

For example, last year some schools were affected by a scam based on NZTA Waka Kotahi notices which sent people to a plausible vehicle registration site. N4L’s Email Protection blocked the majority of emails before they reached inboxes, then advised schools about the threat and explained how to spot legitimate emails.

Email Protection is fully-funded, which makes it a better option for schools than the other email filtering services that may involve additional costs. Contact us on 0800 LEARNING if you want to get it for your school.

Tips for repelling phishing attacks
Many phishing messages won’t make it past N4L’s Email Protection. If your school has our solution in place, it is the best first line of defence. A second line of defence is making sure staff and students know how to identify phishing emails. Keep the below tips in mind at all times and to make sure everyone who deals with email has up to date cyber education.

1. Make everyone phishing aware
Your school’s defence against phishing is only as good as the weakest link. Everyone who deals with incoming messages should be aware of the threat

2. Put phishing-safe policies in place
Decide in advance what administrative staff should do if, say, an unexpected invoice arrives. Make a policy of never handing out private information.

3. Does it ‘smell’ phishy?
Your instincts and common sense can be good here. If you get an official looking email with poor spelling, poor grammar or in the kind of language that you don’t expect from that organisation, there’s a good chance it is a scam. Warning signs are emails with lots of capital letters or indiscriminate use of exclamation marks and emojis. Just remember that scammers won’t always be sloppy. With access to tools like AI tools ChatGPT, scammers will be able to construct scams with the correct grammar and tone, even in languages they aren’t fluent in.

4. Check the email address, then check it again
If you have had previous email from, say, a bank, then get one from a different email address, treat it with suspicion. Some phishers use obviously questionable addresses. Others might use ones that have some relationship with the original, but with differences: it can be as minor as a single character. If it looks strange, it could be a scam.You may notice the incoming email address differs from the address when you hit the reply button. This may indicate a scam, especially if the email address has no relationship to the organisation the email pretends to come from.Likewise, unless you are on regular first name terms with the sender, be wary of email addresses from organisations that use a single first name. Your insurance company will never send a message from an address like [email protected], for instance.

5. View links before you click
Often you can hover over a weblink in an email to see the target address before you click to connect. The written link might look fine, but if the link preview shows a strange address, then it could be dangerous. Don’t click.Take extra care if you get an email out of the blue with a form to fill or one that points to a link where you need to fill in any private information.

6. Be wary of phone numbers
If a suspicious email asks you to phone a number, check with the company’s online site that it is correct. Legitimate company emails are unlikely to ask you to call a private mobile number or an overseas number.

7. Do they know who you are?
Organisations you deal with know your name and they tend to use it. Phishers often use impersonal forms of address, sometimes bizarre attempts at friendliness or chattiness. Unfortunately, spear phishers often do know their targets so there is no hard and fast rule here.

8. Watch for tight deadlines
There may be times when a legitimate correspondent needs urgent action. However in general, urgency of the “act today or we will close your account” is a sign of a scammer. Apart from anything else, they want to collect their money before the authorities catch up with their scam.

9. Never give out passwords
Responsible companies and organisations will never ask you for a password in an email or text. You should view a request for password information as a red flag.

10. Stay alert
Phishing attacks are designed knowing there will be times when you are busy or distracted and at risk of making a mistake. Make being precautious of phishing a general work habit.

If you click on a phishing link
Clicking on a phishing link can happen to anyone. If you realise you’ve clicked on a link, or notice a phishing message, act quickly to minimise the damage:

  • Contact your IT support person or team and work with them to change your password as soon as possible.
  • Report the case to N4L so that we can protect your and other schools from its impact. We’ll also provide you with guidance on what to do next.